Akeyless SCP

Akeyless SCP enables secure copy via Secure Remote Access Bastion.



Akeyless SCP currently supports only UNIX-like OS.



  1. Download Akeyless SCP script:
curl -o akeyless-scp https://download.akeyless.io/Akeyless_Artifacts/Linux/SSH/akeyless-scp
chmod +x akeyless-scp
mv akeyless-scp /usr/local/bin
  1. Create your ~/.akeyless-sphere.rc :
# ---------------------------------------------------------------------
# Copyright © 2023  Akeyless Security LTD.
# All rights reserved
# ----------------------------------------------------------------------

# This file is a user-specific configuration file for akeyless-sphere Zero Trust Access
# it should be located in user home directory named .akeyless-sphere.rc

# identity_file - the path to the ssh-key to be signed and used for Zero Trust session (if empty, default ssh-key is used)

# cert_issuer_name - full path to the Akeyless SSH Cert Issuer to use for Zero Trust session

# profile - Akeyless CLI profile to be used

# Akeyless CLI binary (if needed)

# AKEYLESS_API_GW - URL for Akeyless API Gateway (RestAPI)

# Following are used for control service, to configure the temporary session:

# Allow caching of temp session creds

# Display connection stages

The latest version of this file can be found in Akeyless official artifacts.

Set the following settings as follow:

CERT_ISSUER_NAME - Full path to the Akeyless SSH Certificates Issuer item.

AKEYLESS_PROFILE - Set the default profile that will be used from your Akeyless Command Line Interface (CLI). By default, it's using the default profile of your Akeyless CLI.

AKEYLESS_GW_REST_API - Set your Akeyless Gateway URL on port 8080 for Zero-Knowledge items and for internal network access.

BASTION_API_PROTO - Default is http. Set to https when your Secure Remote Access Bastion is configured with TLS.

BASTION_API_PORT - Default is set to 9900. Set your matching ssh-sra cluster service port.

BASTION_SSH_PORT - Default is set to 22. Set your matching ssh-sra cluster service port.

Optional when working with Load Balancers, you can set the exact FQDN of your ssh-sra service, which listens to the bastion api control port:

BASTION_API_PREFIX - Set your FQDN prefix as your load balancer settings.

BASTION_API_PATH - Set your FQDN path as your load balancer settings.

Where the URL will be set as follow:


  1. Use akeyless-SCP command to perform secure copy to remote target server via Akeyless Secure Remote Access Bastion:

Full options list:

Usage: /usr/local/bin/akeyless-scp <user@remote-server[:port]> via <bastion-server[:port]> [options]

optional arguments:
    --cert-issuer-name      Akeyless certificate issuer name [mandatory]
    --local-file            File to copy [mandatory]
    --remote-file           File to copy [default is '~/']
    --direction             upload/download [default is 'upload']
    --profile               Use a specific profile from your Akeyless CLI
    -i                      Selects a file from which the identity (private key) for public key authentication is read [default is '~/.ssh/id_rsa']
    --ssh-extra-args        Use to add offical SSH arguments (except -i)

For example, this command will start to copy a local file, to a remote server.

akeyless-scp user@destination-server via <sra-bastion-ssh-service> --local-file /full/local/location/file --remote-file /remote/location/file

Working With SSH Keys

When the remote host doesn’t support SSH Certificates, you can still work with Akeyless SCP utilizing SSH Keys where the relevant private key is stored as a Static Secret within Akeyless, where the connection from the client to the Akeyless Bastion is established over short-lived SSH certificate, and from the Akeyless Bastion, the connection is established over SSH using keys, for example:

akeyless-scp <username>@<target-host> via <sra-bastion-ssh-service> --local-file demo_file --remote-file /home/ubuntu/demo_file --name "/path/to/static-secret-of-ssh_private_key"

The --name should point to a static secret in Akeyless holding the SSH private key. Users should have only list permission on this item, while the Bastion should have read permission.

In that case, a tunnel will be established, and the Akeyless Bastions will fetch the key and allow the client to use it without exposing it to them.